Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 08/18/04
- Previous message: Andrew Mitchell: "Re: Share management permissions"
- In reply to: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Next in thread: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Reply: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Reply: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Aug 2004 18:46:19 -0700
A computer principal will have no rights beyond itself if not in
a domain.
The ODBC configuration dialog you mention is asking for
an identitiy to use while defining the connection. It is not
the identity that will be used when the connection is used.
When the application instances the connection it can provide
credential to be used if those are for a SQL account. If one
uses windows integrate security, then the identity the owns
the process where the connection is established is what is
used. Either way, a Windows identity or a SQL account,
that identity needs to have been granted the needed login
and database permissions in SQL.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message news:OuiLEQGhEHA.2812@tk2msftngp13.phx.gbl... > Hi, > > Thank you for these suggestions: > > Solution 1 would cause a lot of "development" reworking so for now I would > like to pursue your second solution. > > The problem I have now is in modifying the ODBC connection. The ODBC > configuration dialog allows me to select either: > "With Windows NT authentication using the network login ID" or > "With SQL Server authentication using a longin ID and password entered by > the user" > > If I use "With Windows NT authentication using the network login ID", how > can I get the ODBC to use the computers security principal since the ODBC > configuration dialog does not allow me to specify the user? Given that, > won't the ODBC connection use the LocalSystem account since that is what > WMI > is running as [i.e. the original problem? > > If I use "With SQL Server authentication using a login ID and password > entered by the user", how can I (doing the ODBC connection configuration) > and the SQL sys. admin (specifying the computer principal as a valid user > for the database instance) know the password of the computers security > principal? > > Thanks in advance. > > "Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message > news:u4Ohi76gEHA.384@TK2MSFTNGP10.phx.gbl... >> WinMmgt was never tested in a different than LocalSystem account, >> and, your mileage in running it as a different account can vary. >> [BTW, in Win2000-SP4, the ability to run the WinMmgt.exe process >> as a standalone DCOM server has been remoevd to avoid these problems]. >> >> For your problem, there are conceptually 2 solutions: >> - make the Event-Provider a standalone provider, >> and run that standalone DCOM component in a service (already suggested). >> - enable Mixed-Mode or Windows Authentication in the SQL server, >> be sure you have a Kerberos authentication infrastrucutre in place, >> and use the machine account (MachineName$) >> as the account who performs the query. >> >> Starting Win2000, the machine accounts are security principals, >> and they can be trated as such. >> >> -- >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> Use of any included script samples are subject to the terms specified at >> http://www.microsoft.com/info/cpyright.htm >> >> >> "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message >> news:eT0MZqZgEHA.596@TK2MSFTNGP11.phx.gbl... >> > Hi All, >> > >> > I have a WMI Event Provider (hosted by WinMgmt since it is on Windows >> 2000) >> > which spawns another process (cmd.exe which invokes cscript.exe [i.e. a >> > JScript]). This spawned process needs to open an ODBC connection to a > SQL >> > server on another computer in the network. WMI is currently running as >> > (i.e. "Log on As") LocalSystem (again this is W2K). I tried to change > the >> > "Log on As" to a local system account that has the proper priviledges >> > to >> the >> > ODBC connection. I verified that this account had the "Log on as a >> service" >> > local policy. When I try to start WMI using the new account though it >> fails >> > to start. The event log did not offer any clues. Does any one have >> > any >> > thoughts on: >> > 1. What might be making WMI fail to start when it is changed from >> > LocalSystem to another user account (do I need to change something in >> > dcomcfg?) >> > 2. If WMI has any dependency services and if so, do they need to be >> changed >> > to the other user account as well? >> > 3. What security auditing can I enable to troubleshoot this type of >> > problem? >> > >> > Thanks in advance, >> > >> > Anthony LaMark >> > eXc Software >> > >> > >> >> > >
- Previous message: Andrew Mitchell: "Re: Share management permissions"
- In reply to: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Next in thread: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Reply: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Reply: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
